August 16, 2012

Is SSO secure?

This morning I had a CEO from a major IT Service Provider ask my a question point blank:

Is SSO secure?

He was concerned with the realization that more and more services are moving to the cloud, and the recommendation by companies like Microsoft on how to "make it easier on users" and still more secure was to reuse their domain credentials through something like Active Directory Federation Services (ADFS) and dirsync. The concept of federation clearly has benefits, as it does make it easier for people as they have to remember less passwords. However, my response to his question surprised him, and he asked if I would share it publicly.

So here is that response.

The short answer in general is "Yes". SSO can be secure. The longer answer is that it depends on the initial authentication. SSO works by extending the reach of the initial authentication step. So long as that step is robust, subsequent application logins can also be trust worthy. In other words, if a user signs into the SSO system with a stronger credential that increases the level of identity assurance, you can have a higher level of confidence in who is making those requests. A simple password to log into a SSO system is not enough. This is why AuthAnvil Two Factor Auth is mandatory in AuthAnvil Single Sign On. To extend on-premise trust to the cloud, you HAVE to be sure of the initiating party. And you should CONTROL that trust; you shouldn't abdicate that responsibility to yet another cloud service that isn't in your control.

So ADFS with a domain credential by itself doesn't make cloud access more secure. You are simply using a static password that can be shared, stolen or guessed. Where it is stored and the password policies you set has some benefit and bearing, but not a whole lot. Worse yet, you expose your business to greater risk if that credential can somehow be captured; so if you think that using ADFS in something like Office 365 is a good idea when accessed from untrusted PCs, you are being short sighted. Consider what could happen in a business running Small Business Server with ADFS. If a keylogger or browser plugin sniffer captures that credential as you login to your favorite cloud service, they can now also log into Remote Web Access (RWA) or RD Gateway and directly connect to all your files and PCs. Clearly that becomes a new risk you have to consider. And monitor. And a new threat to defend against.

The benefits of using SSO are about simplifying the user's experience by having them log in once, and then have access to the applications they use all day without having to enter a password again. In the old days of local networks where Kerberos could be used, that was easy. In a world where we have to extend access to applications in the cloud, it gets a bit more difficult. Especially when the hosts we may be using will probably be LESS trusted as they are not managed by the company. Tablets. Smartphones. Home computers. Computers and kiosks in public places. The list goes on and on.

This is one of the benefits of AuthAnvil Password Solutions. You get both AuthAnvil Two Factor Auth and AuthAnvil Single Sign On together, along with static password management with AuthAnvil Password Server. So if you want to access things like Google Apps or Office 365 you can do so WITHOUT having to know a password. You end up using a PIN with a stronger one-time password generated by your AuthAnvil token, an app running on your smartphone or Yubikey. So users don't have to remember another password. That credential is much stronger. Cannot be duplicated or forged. Or ever reused.

So to that CEO, yes SSO can be secure. As long as that initial authentication is strong. Don't rely on a simple password as your sole defense to all your sentive applications and systems. Use a system that supports multifactor authentication with identity assurance like AuthAnvil Single Sign On.